From patchwork Fri Oct 4 19:07:58 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Roman Gushchin X-Patchwork-Id: 11175235 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id EB41276 for ; Fri, 4 Oct 2019 19:08:26 +0000 (UTC) Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.kernel.org (Postfix) with ESMTP id AA9A9215EA for ; Fri, 4 Oct 2019 19:08:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=fb.com header.i=@fb.com header.b="KSgdtxzz" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org AA9A9215EA Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=fb.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix) id EEF436B0008; Fri, 4 Oct 2019 15:08:25 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id E78746B000C; Fri, 4 Oct 2019 15:08:25 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id D669F8E0008; Fri, 4 Oct 2019 15:08:25 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from forelay.hostedemail.com (smtprelay0166.hostedemail.com [216.40.44.166]) by kanga.kvack.org (Postfix) with ESMTP id AC5CF6B0008 for ; Fri, 4 Oct 2019 15:08:25 -0400 (EDT) Received: from smtpin10.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251]) by forelay03.hostedemail.com (Postfix) with SMTP id 5A6D1824CA16 for ; Fri, 4 Oct 2019 19:08:25 +0000 (UTC) X-FDA: 76007038170.10.boat70_f413033a9719 X-Spam-Summary: 2,0,0,af669e9d9989f5ef,d41d8cd98f00b204,prvs=518051f3d1=guro@fb.com,::hannes@cmpxchg.org:linux-kernel@vger.kernel.org:kernel-team@fb.com:guro@fb.com:kgraul@linux.ibm.com:shakeelb@google.com:vdavydov.dev@gmail.com:rientjes@google.com,RULES_HIT:2:41:152:355:379:541:800:960:965:966:973:988:989:1260:1261:1277:1311:1313:1314:1345:1437:1513:1515:1516:1518:1521:1535:1593:1594:1605:1606:1730:1747:1777:1792:2194:2196:2198:2199:2200:2201:2393:2559:2562:2693:2827:2892:2904:3138:3139:3140:3141:3142:3865:3866:3867:3868:3870:3871:3872:3874:4120:4250:4321:4385:4390:4395:4605:5007:6117:6119:6238:6261:6653:7514:7901:7903:8660:9010:9121:9163:9165:9389:9391:10004:11026:11232:11473:11658:11783:11914:12043:12296:12297:12438:12555:12679:12742:12895:12986:13148:13161:13191:13192:13221:13229:13230:13255:13870:14096:14097:14394:14659:21080:21324:21433:21451:21611:21627:21740:30003:30012:30029:30054:30056:30064:30075:30091,0,RBL:67.231.153.30:@fb.com:.lbl8.mailshell.net-62.2.0.100 64.1 00.201.2 X-HE-Tag: boat70_f413033a9719 X-Filterd-Recvd-Size: 9221 Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by imf08.hostedemail.com (Postfix) with ESMTP for ; Fri, 4 Oct 2019 19:08:24 +0000 (UTC) Received: from pps.filterd (m0109331.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x94J3Esm031409 for ; Fri, 4 Oct 2019 12:08:20 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : mime-version : content-type : content-transfer-encoding; s=facebook; bh=jT1yH6T7d7kCJOJ+Apa+Eep0k3jDOY8sh6pPi7FDHnA=; b=KSgdtxzzRq0Spt04R+JOATyUm/GZoYkg/VAFLF6ZMHBukG1hnGD8Q9+UEkgiFwMer406 43je8HTqNxVv7UtBoE7XhR3dCyc7o+NZubWAiaP3aGm5binYW7Xxkhso4gjUsd7k0HOX DvS0zz+MUVRxXr8+6K4LCvMh0wrHpFb0LCM= Received: from maileast.thefacebook.com ([163.114.130.16]) by mx0a-00082601.pphosted.com with ESMTP id 2ve8xxgx6d-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 04 Oct 2019 12:08:19 -0700 Received: from 2401:db00:30:600c:face:0:39:0 (2620:10d:c0a8:1b::d) by mail.thefacebook.com (2620:10d:c0a8:83::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1713.5; Fri, 4 Oct 2019 12:08:11 -0700 Received: by devvm2643.prn2.facebook.com (Postfix, from userid 111017) id 8B588183FD477; Fri, 4 Oct 2019 12:08:08 -0700 (PDT) Smtp-Origin-Hostprefix: devvm From: Roman Gushchin Smtp-Origin-Hostname: devvm2643.prn2.facebook.com To: CC: Johannes Weiner , , , Roman Gushchin , Karsten Graul , Shakeel Butt , Vladimir Davydov , David Rientjes Smtp-Origin-Cluster: prn2c23 Subject: [PATCH] mm: memcg/slab: fix panic in __free_slab() caused by premature memcg pointer release Date: Fri, 4 Oct 2019 12:07:58 -0700 Message-ID: <20191004190758.103393-1-guro@fb.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-04_11:2019-10-03,2019-10-04 signatures=0 X-Proofpoint-Spam-Details: rule=fb_default_notspam policy=fb_default score=0 clxscore=1015 adultscore=0 impostorscore=0 phishscore=0 priorityscore=1501 suspectscore=3 spamscore=0 malwarescore=0 bulkscore=0 mlxscore=0 lowpriorityscore=0 mlxlogscore=549 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910040154 X-FB-Internal: deliver X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: Karsten reported the following panic in __free_slab() happening on a s390x machine: 349.361168¨ Unable to handle kernel pointer dereference in virtual kernel address space 349.361210¨ Failing address: 0000000000000000 TEID: 0000000000000483 349.361223¨ Fault in home space mode while using kernel ASCE. 349.361240¨ AS:00000000017d4007 R3:000000007fbd0007 S:000000007fbff000 P:000000000000003d 349.361340¨ Oops: 0004 ilc:3 Ý#1¨ PREEMPT SMP 349.361349¨ Modules linked in: tcp_diag inet_diag xt_tcpudp ip6t_rpfilter ip6t_REJECT \ nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ip6table_nat ip6table_mangle \ ip6table_raw ip6table_security iptable_at nf_nat 349.361436¨ CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-05872-g6133e3e4bada-dirty #14 349.361445¨ Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0) 349.361450¨ Krnl PSW : 0704d00180000000 00000000003cadb6 (__free_slab+0x686/0x6b0) 349.361464¨ R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3 349.361470¨ Krnl GPRS: 00000000f3a32928 0000000000000000 000000007fbf5d00 000000000117c4b8 349.361475¨ 0000000000000000 000000009e3291c1 0000000000000000 0000000000000000 349.361481¨ 0000000000000003 0000000000000008 000000002b478b00 000003d080a97600 349.361481¨ 0000000000000003 0000000000000008 000000002b478b00 000003d080a97600 349.361486¨ 000000000117ba00 000003e000057db0 00000000003cabcc 000003e000057c78 349.361500¨ Krnl Code: 00000000003cada6: e310a1400004 lg %r1,320(%r10) 349.361500¨ 00000000003cadac: c0e50046c286 brasl %r14,ca32b8 349.361500¨ #00000000003cadb2: a7f4fe36 brc 15,3caa1e 349.361500¨ >00000000003cadb6: e32060800024 stg %r2,128(%r6) 349.361500¨ 00000000003cadbc: a7f4fd9e brc 15,3ca8f8 349.361500¨ 00000000003cadc0: c0e50046790c brasl %r14,c99fd8 349.361500¨ 00000000003cadc6: a7f4fe2c brc 15,3caa 349.361500¨ 00000000003cadc6: a7f4fe2c brc 15,3caa1e 349.361500¨ 00000000003cadca: ecb1ffff00d9 aghik %r11,%r1,-1 349.361619¨ Call Trace: 349.361627¨ (Ý<00000000003cabcc>¨ __free_slab+0x49c/0x6b0) 349.361634¨ Ý<00000000001f5886>¨ rcu_core+0x5a6/0x7e0 349.361643¨ Ý<0000000000ca2dea>¨ __do_softirq+0xf2/0x5c0 349.361652¨ Ý<0000000000152644>¨ irq_exit+0x104/0x130 349.361659¨ Ý<000000000010d222>¨ do_IRQ+0x9a/0xf0 349.361667¨ Ý<0000000000ca2344>¨ ext_int_handler+0x130/0x134 349.361674¨ Ý<0000000000103648>¨ enabled_wait+0x58/0x128 349.361681¨ (Ý<0000000000103634>¨ enabled_wait+0x44/0x128) 349.361688¨ Ý<0000000000103b00>¨ arch_cpu_idle+0x40/0x58 349.361695¨ Ý<0000000000ca0544>¨ default_idle_call+0x3c/0x68 349.361704¨ Ý<000000000018eaa4>¨ do_idle+0xec/0x1c0 349.361748¨ Ý<000000000018ee0e>¨ cpu_startup_entry+0x36/0x40 349.361756¨ Ý<000000000122df34>¨ arch_call_rest_init+0x5c/0x88 349.361761¨ Ý<0000000000000000>¨ 0x0 349.361765¨ INFO: lockdep is turned off. 349.361769¨ Last Breaking-Event-Address: 349.361774¨ Ý<00000000003ca8f4>¨ __free_slab+0x1c4/0x6b0 349.361781¨ Kernel panic - not syncing: Fatal exception in interrupt The kernel panics on an attempt to dereference the NULL memcg pointer. When shutdown_cache() is called from the kmem_cache_destroy() context, a memcg kmem_cache might have empty slab pages in a partial list, which are still charged to the memory cgroup. These pages are released by free_partial() at the beginning of shutdown_cache(): either directly or by scheduling a RCU-delayed work (if the kmem_cache has the SLAB_TYPESAFE_BY_RCU flag). The latter case is when the reported panic can happen: memcg_unlink_cache() is called immediately after shrinking partial lists, without waiting for scheduled RCU works. It sets the kmem_cache->memcg_params.memcg pointer to NULL, and the following attempt to dereference it by __free_slab() from the RCU work context causes the panic. To fix the issue, let's postpone the release of the memcg pointer to destroy_memcg_params(). It's called from a separate work context by slab_caches_to_rcu_destroy_workfn(), which contains a full RCU barrier. This guarantees that all scheduled page release RCU works will complete before the memcg pointer will be zeroed. Big thanks for Karsten for the perfect report containing all necessary information, his help with the analysis of the problem and testing of the fix. Fixes: fb2f2b0adb98 ("mm: memcg/slab: reparent memcg kmem_caches on cgroup removal") Reported-by: Karsten Graul Tested-by: Karsten Graul Signed-off-by: Roman Gushchin Cc: Karsten Graul Cc: Shakeel Butt Cc: Vladimir Davydov Cc: David Rientjes --- mm/slab_common.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/mm/slab_common.c b/mm/slab_common.c index 0b94a37da531..8afa188f6e20 100644 --- a/mm/slab_common.c +++ b/mm/slab_common.c @@ -178,10 +178,13 @@ static int init_memcg_params(struct kmem_cache *s, static void destroy_memcg_params(struct kmem_cache *s) { - if (is_root_cache(s)) + if (is_root_cache(s)) { kvfree(rcu_access_pointer(s->memcg_params.memcg_caches)); - else + } else { + mem_cgroup_put(s->memcg_params.memcg); + WRITE_ONCE(s->memcg_params.memcg, NULL); percpu_ref_exit(&s->memcg_params.refcnt); + } } static void free_memcg_params(struct rcu_head *rcu) @@ -253,8 +256,6 @@ static void memcg_unlink_cache(struct kmem_cache *s) } else { list_del(&s->memcg_params.children_node); list_del(&s->memcg_params.kmem_caches_node); - mem_cgroup_put(s->memcg_params.memcg); - WRITE_ONCE(s->memcg_params.memcg, NULL); } } #else